-
Notifications
You must be signed in to change notification settings - Fork 11
Configure Bindaas with Kong 0.12 as Authentication Provider
You are reading an old version. Probably you should consider configuring with a later version of Kong.
You may disable the authentication of Bindaas in favor of leveraging an authentication mechanism provided by an external authentication provider such as an API gateway.
In such a case, the apikey in the below query will rather be validated by the API gateway external to Bindaas, and not be Bindaas itself.
curl http://localhost:9099/services/test/mongo/query/find?apikey=4n6UBle6Jx5EpvvbqbASzD93pgjEZ6AM
Here we will look into configuring Kong using its Docker container as the authentication provider for Bindaas.
Please note that kong uses the parameter "apikey" unlike Bindaas which uses "api_key". This parameter can differ between the different API gateways and authentication providers. Be aware.
First get the Sharmalab's kong-ldap repository:
$ git clone https://github.com/sharmalab/kong-ldap.git
Now run the buildRun script:
$ cd kong-ldap
$ sh buildRun.sh
To configure the services:
$ curl -i -X POST --url http://127.0.0.1:8001/apis/ --data 'name=bindaxy' --data 'hosts=bindaxy.com' --data 'upstream_url=http://docker.for.mac.host.internal:9099'
If neither Bindaas nor Kong is configured with authentication, you may call the api without using an api_key as shown below:
curl -i -X GET --url http://127.0.0.1:8000/services/test/mongo/query/find --header 'Host: bindaxy.com'
If Bindaas is configured with the authentication, provide the api_key generated by Bindaas for a user accordingly.
$ curl -i -X GET --url http://127.0.0.1:8000/services/test/mongo/query/find?api_key=d9076d81-147d-44c3-9af6-d3dc5d9f204b --header 'Host: bindaxy.com'
To configure the dashboard:
$ curl -i -X POST --url http://127.0.0.1:8001/apis/ --data 'name=bindax' --data 'hosts=bindax.com' --data 'upstream_url=http://docker.for.mac.host.internal:8080'
$ curl -i -X GET --url http://127.0.0.1:8000/dashboard/ --header 'Host: bindax.com'
The above commands are for Docker for Mac.
Replace "docker.for.mac.host.internal" in the above commands with "host.docker.internal" for Docker environments other than "Docker for Mac"
First, disable the Bindaas' own authentication by configuring bin/bindaas.config.json as below:
"enableAuthentication": false,
$ curl -i -X POST
--url http://localhost:8001/apis/bindaxy/plugins/
--data 'name=key-auth'
The above commands secures the "bindaxy" api that we created before, with an apikey authentication. The apikey can be passed as a header (using -H 'apikey: <some_key>') or with the URL (as shown in this page).
More information can be found at https://docs.konghq.com/plugins/key-authentication/
Now if you invoke the api without providing an apikey, it will give the below message.
$ curl -i -X GET --url http://127.0.0.1:8000/services/test/mongo/query/find --header 'Host: bindaxy.com'
HTTP/1.1 401 Unauthorized Date: Thu, 26 Jul 2018 16:57:21 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive WWW-Authenticate: Key realm="kong" Server: kong/0.12.3
{"message":"No API key found in request"}
If you produce an invalid apikey as below, it will produce an error message as below:
$ curl -i -X GET --url http://127.0.0.1:8000/services/test/mongo/query/find?apikey=d9076d81-147d-44c3-9af6-d3dc5d9f204b --header 'Host: bindaxy.com'
HTTP/1.1 403 Forbidden Date: Thu, 26 Jul 2018 17:05:55 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Server: kong/0.12.3
{"message":"Invalid authentication credentials"}
Create a consumer:
$ curl -X POST http://127.0.0.1:8001/consumers/
--data "username="
--data "custom_id=<CUSTOM_ID>"
$ curl -X POST http://127.0.0.1:8001/consumers/
--data "username=pradeeban"
--data "custom_id=pradeeban"
{"custom_id":"pradeeban","created_at":1532625729000,"username":"pradeeban","id":"5a4204d9-e5a9-4b4e-9187-833b1c9c68ea"}
Create an apikey: $ curl -X POST http://127.0.0.1:8001/consumers/{consumer}/key-auth -d ''
$ curl -X POST http://127.0.0.1:8001/consumers/pradeeban/key-auth -d ''
{"id":"69055690-6373-405d-8d2a-c17bb7137b23","created_at":1532625748000,"key":"4n6UBle6Jx5EpvvbqbASzD93pgjEZ6AM","consumer_id":"5a4204d9-e5a9-4b4e-9187-833b1c9c68ea"}
Now, let's use the correct apikey:
$ curl -i -X GET --url http://127.0.0.1:8000/services/test/mongo/query/find?apikey=4n6UBle6Jx5EpvvbqbASzD93pgjEZ6AM --header 'Host: bindaxy.com'
This should give you the correct output!